SAP affiliate company. All rights reserved. 


© 2018 SAP SE or an 


ADMINISTRATION GUIDE | PUBLIC 
Document Version: 1.2.1 - 2018-08-28 


Administrator Guide: SAP Access Control 12.0 


THE BEST RUN SAPA 


Content 


5.8 
5.9 


borne ———-————————— 4 
Getting Started: -sreci 22s ccosca solle pee LiB er REIS RE EDI Eae. ER ERAS 5 
About This DOCUMENT asia sa eee Cee Rae eR Re SERB ee ee 5 
Additional Resources. ....... llle eee hh hh hh 5 
Important SAP Notes: « «x e ia RA Rer ER DR A Rok ER e UR a 6 
judi ie scr anda BE be pd de cda A do Bede eae a age ae a ad 7 
Product Technical Overview. .::... cuu c e y et Gc wc Pr Ur E a RE Ros RR 8 
Software Components... 8 
Component Diagra Me sico irc a o ee bere awe A Ro dede 9 
Overall Implementation Sequence. ... 2.0... illl ee di 
Installation: 3. s/s ooo dr A dd 13 
AA O A NAS AAA ed 13 

Product Availability Matrix; uum usar a 9 eR do GG xx HR HY a 14 

Support Pack Numbering and Compatibility... ...... 2e 14 
Preparing to Install SAP Access Control 12.0. ........ lille 14 
SAP NetWeaver Components. s sace sier aieia a a a eee hh hh hrs 15 
Sion 4 qe "TT 15 
Downloading and Installing Product Versions. ........ o 16 

Downloading SAP Access Control 12.0... 0... 0.0.06 cee 16 

Installing the SAP HANA Plug-In... 2.0... eee 16 
Post-Installation: "ITI 18 
Activating the Applications in Clients... 2... llle rh 18 
Checking SAP ICF.ServiCes. «ases Ree mk monk ERR Ro Re ea ER Rh n 19 
Configuring the SAP NetWeaver Gateway. ..... iiie 20 
Maintaining System Data... 2... hh hs 22 
Maintaining Plug-in Settings. se = ese 22s rs 22 
De niae icc secre dos cack 068 R SAME RRS REED EA eA ERA aoh Re A ele 23 
Activating BC Sets... 0... hh hn 23 

SAP Access Control BO Sets. «ces Rer I hie ase woes RR RR Ga Mie etal: bom war e e ER Rn 24 
Run Role Name Conversion Program. ....... llle rn 29 
SAP Enterprise Portal Configuration. .. 2.0... a 26 

Creating a System Connection with the SAP Enterprise Portal. .. o.. aana aaaea aaa 26 

Portal Configuration for SAP Access Control Users. ....... llle 26 

Portal Configuration for SAP Solutions for GRC- Licensed Users. .......... 0.000.000 0 eee 27 


Administrator Guide: SAP Access Control 12.0 
PUBLIC Content 


6.2 


6.3 
6.4 
6.5 


6.6 


6.7 


Creating the Initial User inthe ABAP System. ...... llle 27 


Creating the Initial User in the SAP Enterprise Portal... ...... llle 28 
Setting Up SAP Fiori Launchpad Content for Front-end System... 2... llle ess 29 
Business Catalogs and Roles for the Fiori Launchpad. ....... iliis 31 
Implement SAP Note: 2641804. 2... hh 32 
Operations. visir A A mee ees 33 
Monitoring:of the Applicatloni ses eh ra ee eee EEE GSE E ee ee 38 
Monitor Templates: "rc" TT 33 
Alert Monitoring with CCMS. ...... 6 eee 34 
Detailed Monitoring and Tools for Problem and Performance Analysis. ........ llis ss. 36 
Important Application Objects. 2. sss bk RR Rer E RE RRG GERE ERE RARI be 38 
Managing the Application... ...... see 40 
Starling arid Stopping... acct omm cen Rh Re c ER HR) Re eee eee Rc b Dee UR gis 40 
Backup and Restore... s secca a d BUR S Ree EY 40 
SystemitODV. tus. ido dud. ers a ot atas it sue a ada IR te A UAR a idad atts ded, ad dod Gin i a at oh ds 40 
Periodi TASKS: P" 41 
User Management: 22 s 2c cad 400 nocd baw dia e a aia eh a pee d 42 
Data Archiving and Management. ... 0... llle es 43 
High Availability and Load Balancing. es essare llle ee 43 
Software Change Management. ........ lille hn 43 
Transport and Change Management. ....... ills 44 
Development Requests and Development Release Management.................2000005 44 
Support Packages and Patch Implementation. ......... llle 44 
Troubleshooting. ss e baa e ep a aeaa hh ss 44 
Configuring Remote Connection to SAP Support... 2.2... 0 ee 45 
SUPport COMPONENTES... zi esae mea rr ar 45 
Categories of System Components for Backup and Restore... 2.2... illie 45 


Administrator Guide: SAP Access Control 12.0 


Content 


PUBLIC 3 


1 Document History 


Version 


1.0.0 


Date 


2018-03-28 


2018-07-31 


Description 


Initial release 


Updated component diagram 


Added SAP Note for: Additional IMG 
documentation 


Added SAP Note for: Support pack 
compatibility matrix 


Added additional information about 
Fiori apps and configuration 


1.2.0 


2018-08-15 


Added information for optional HANA 
plug-in 


Updated procedure to setup Fiori busi- 
ness catalogs 


1.2.1 


2018-08-28 


Corrected typo for front-end compo- 
nent: UIGRCOO1 to UIGRACO1 100 


4 PUBLIC 


Administrator Guide: SAP Access Control 12.0 
Document History 


2 Getting Started 


SAP Access Control is an enterprise software application that enables organizations to control access and 
prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application 
streamlines compliance processes, including access risk analysis and remediation, business role management, 
access request management, emergency access maintenance, and periodic compliance certifications. It 
delivers immediate visibility of the current risk situation with real-time data. 


2.1 About This Document 


The Administrator Guide for SAP Access Control 12.0 contains information on the technical system landscape, 
procedures and requirements for installation, and procedures and tools for the maintenance and operation of 
solution post-installation. 


iNote 


The access control solution is part of the SAP Governance, Risks, and Compliance suite of solutions. Some 
components are shared between the solutions. Therefore, this guide may contain information about shared 
components where relevant. In addition, for convenience, we may use the abbreviated convention GRC 
within this guide. 


Integration Scenarios 


The access control solution also has integration scenarios with other solutions, such as SAP Cloud Identity 
Access Governance, access analysis service, SAP SuccessFactor Employee Central, and others. 


These integrations are done after the access control solution is installed, and in addition to the implementation 
procedures in this guide. 


For details and information about implementing the integration scenarios, see the respective integration guides 
at https://help.sap.com/viewer/p/SAP_ACCESS_CONTROL. 


2.2 Additional Resources 
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Content 


SAP Help Portal 


Sizing, calculation of hardware requirements such as CPU, 
disk, and memory resources with the Quick Sizer tool 


Location 


http://help.sap.com@ar 


https://www.sap.com/about/benchmark/sizing.quick-si- 


zer.htmlZquick-sizerflr 


Released platforms and technology related topics such as 
maintenance strategies and language support 


https:sap.com/productsfie 
To access the Platform Availability Matrix go to 


https://support.sap.com/en/release-upgrade-mainte- 
nance.htm|#er 


Security Guides 


The security guides describe the settings for a medium se- 
curity level and offer suggestions for raising security levels. 


For the Access Control 12.0 Security Guide, go to https:// 
help.sap.com/viewer/p/SAP_ACCESS_CONTROL. 


For the SAP NetWeaver Security Guide, go to https:// 
help.sap.com/viewer/p/SAP_NETWEAVER_750. 


Open the relevant guide under the Security section. 


Performance 


Information about Support Package Stacks, latest software 
versions, and patch level requirements 


http://help.sap.com 


https://support.sap.com/swdcflie 


SAP NetWeaver 


2.3 Important SAP Notes 


https://help.sap.com/viewer/p/SAP NETWEAVER 


You must read the following SAP Notes before you start the installation. These SAP Notes contain the most 
recent information on the installation as well as corrections to the installation documentation. Make sure that 
you have the latest version of each SAP Note, which you can find on SAP Support Portal at https:// 


support.sap.com/fi . 


SAP Note Number 


Title 


26206418 SAP Access Control 12 Release Information Note 
2647067 Phe Release Information Note for Ul component for SAP Access 
Control 12.0. 
26021310 her Release strategy and Maintenance Information for the ABAP 
add-on GRCFND_A V1200 
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SAP Note Number 


2612335 


Title 


Release strategy and Maintenance Information for the ABAP 
add-on GRCFND_A V8100 


2602564% 


Release strategy and Maintenance Information for the ABAP 
add-on GRCPINW V1200_750 


2602825% 


Release strategy and Maintenance Information for the ABAP 


add-on GRCPIERP V1200_S4 


2622112 


Access Control 12.0 Support Package O1 - Master Note 


2641804 Phe 


ESH: Accesses to search-related metadata take a long time: 


Symptoms may include long response time or even timing 
out when opening NWBC, Enterprise Portal, or Fiori Launch- 
pad. 


2672441 Pr 


AC12 IMG Additional Documentation 


Documentation nodes accompany each IMG activity to ex- 
plain the functionality. In rare instances where the documen- 
tation node is missing or insufficient, you can find the docu- 
mentation in this SAP note. 


986996 Par 


Explanation of delivered risk analysis and remediation rules. 


2.4 SAP Fiori Apps 


For more information about available SAP Fiori apps for access control, see SAP Fiori 1.0 for SAP solutions for 
GRC on the SAP Access Control product page: http://help.sap.com/grc-acfée . 


For information about installation of the SAP Fiori Launchpad, and the business catalogs and roles for access 
control, see chapter Setting Up SAP Fiori Launchpad Content for Front-end System [page 29]. 


Administrator Guide: SAP Access Control 12.0 
Getting Started 


PUBLIC 7 


3 Product Technical Overview 


3.1 Software Components 


The following table illustrates the software component matrix for the application: 


Required or Op-  Component/Version Description 

tional 

Required SAP NetWeaver 7.52 SPOO Foundation application layer on GRC system 
Required SAP Access Control 12.0 SPOO Access control application on GRC system 


UIGRACO1 100 


Optional SAP Fiori Ul component on frontend system 


Optional SAP Enterprise Portal 7.x Versions 7.02 -7.31 use the 7.02 Plug-In 


Version 7.31 and above use the 7.31 Plug-In 


The following table lists the plug-in components for target systems. 


i Note 


For the most updated information on plug-ins and support pack levels, see SAP note: 1352498% - Support 
Pack Numbering GRC Access Control. 


Required or Op- Component Version Description 

tional 

Optional GRCPINW V1200. 750 SAP GRC PLUGIN NW 7.50 Access control integration 
with ERP non-HR functions 
for NW 7.50 

Optional GRCPIERP V1200_S4 SAP GRC PLUGIN S4HANA 1610+ Access control integration 
with S4HANA/ERP HR 
functions 

Optional GRCPIERP V1100_700 SAP GRC 10.1 Plug-in ERP 7.00 Access control integration 


with ERP HR functions 
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Required or Op- Component Version Description 


tional 


Optional GRCPINW V1100_710 SAP GRC 10.1 Plug-in NW 7.10 Access control integration 
with ERP non-HR functions 
for NW 7.10 


Optional GRC 10.1 Java Components SAP GRC AC Portal Plug-in Portal integration for back- 
end systems. 


iNote 


There is no Portal 
plug-in for AC12, 
therefore use the GRC 
10.1 plug-in. 


Optional HCO_GRC_PI SAP GRC 10.1 Plug-in for HANA SAP GRC 10.1 Plug-in for 
HANA 


iNote 


There is no new HANA 
plug-in for AC12, 
therefore use the GRC 
10.1 plug-in. 


3.2 Component Diagram 


The following figure illustrates the technical landscape for the SAP Access Control solution. 
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-> Recommendation 


As a best practice, we recommend implementing the access control solution in three phases, with separate 
systems for each: 


e Development 
e Testing 
e Production 


A Caution 


We strongly recommend that you use a minimal system landscape for test and demonstration purposes 
only. For performance, high availability, and security reasons, do not use a minimal system landscape as 
your production landscape. 
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3.3 Overall Implementation Sequence 


Use 


This section describes the sequential implementation steps required to install the application. It includes 
references to the relevant installation documentation and SAP Notes. 


The following table lists all the software components that you need for the installation. To implement a specific 
access control scenario, you may need only a subset of the software components. 


The access control solution supports all the operating and database software systems that are supported by 


SAP NetWeaver. 


¡Note 


For more information, see the product availability matrix posted https://support.sap.com/en/release- 
upgrade-maintenance.htm|#ae. 


Procedure 


To install the application, use the steps described below. 


Step Required/ Action Reference 
Optional 
1 Required Install NetWeaver 7.52 SPOO on the GRC https://help.sap.com/viewer/p/ 
system SAP_NETWEAVER 
2 Required Install GRCFND_A V1200: Add-on Installa- For more information, see SAP Note: 
tion on the GRC system 2602131r 
3 Required Install SAP Access Control 12.0 NetWeaver For more information, see SAP Note: 
Plug-In (GRCPINW V1200 750) on the Plug- 26025649% 
in system 
4 Optional Install SAP Access Control ERP Plug-In on For more information, see SAP Note 
the Plug-In system (GRCPIERP V1100_700) 1855405% 
f SAP HR is installed, you must install 
GRCPIERP. 
5 Optional Install SAP GRC PLUGIN for SAHANA 1610+ For more information, see SAP Note: 


(GRCPIERP V1200. S4) 


2602825 
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Step Required/ Action Reference 


Optional 


6 Optional Install SAP Enterprise Portal 7.x https: //help.sap.com/viewer/p/ 
SAP_NETWEAVER 
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4 Installation 


4.1 Planning 


Use 


Perform the following planning steps before you start the installation. 


Procedure 


1. Download and check the relevant SAP Notes listed in this document. 


2. Before you begin your installation, make sure that SAP NetWeaver 7.52 SPOO (ABAP) is properly installed 
and configured as described later in this guide. This step is mandatory. 


i Note 
SAP Access Control 12.0 runs on SAP NetWeaver 7.52 SPOO HANA or non-HANA databases. 
3. SAP Access Control 12.0 requires that you install plug-ins for your ERP system as directed in this guide. 


¡Note 


If you want to manage access for HANA, you must install the HANA plug-in. For more information, see 
the section of this guide called Installing the SAP HANA Plug-In. 


4. Take all applicable security measures. For more information, see the SAP Access Control 12.0 Security 
Guide at http://help.sap.com/grc-ac. 


5. (Optional) If you want to use the SAP NetWeaver Portal, which is not required if you use the SAP Business 
Client (NWBC), install the following programs: 


o GRCPIERP Portal Plug-In 
o GRO POR 1000 (this replaces NWBC) 

6. (Optional) If you plan to use Simplified Access Control, ensure that your browser is HTML5 and CSS3 
compliant. Examples of such browsers include Internet Explorer 9, Chrome, and Firefox. 


7. (Optional) If you want to use the SAP Fiori Launch pad, review and follow the instructions at https:// 
help.sap.com/viewer/p/SAP. FIORI LAUNCHPAD. 


8. (Optional) If you want to use Adobe Document Services, install SAP NetWeaver Java. 
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¡Note 


To enable printing from SAP software, download the Adobe Document Services license. For more 
information, see the SAP Library at http: //help.sap.comél* and search on Licensing Adobe Document 
Services. Also see SAP Note 736902% , Adobe Credentials. 


4.1.1 Product Availability Matrix 


https://apps.support.sap.com/sap/support/pamfie 
SAP regularly publishes the following information about SAP software releases through the Product Availability 
Matrix (PAM): 


e Release type (for example, standard release, early adoption release, or focused business solution release) 
e Planned availability 

e Maintenance durations 

e Upgrade paths 

e Platform availability, including database platforms and operating systems 


For more information, see Product Availability Matrixf&e for SAP Access Control 12.0%. 


4.1.2 Support Pack Numbering and Compatibility 


The support pack numbering of SAP Access Control support packs is dependent on the platform (Java or 
ABAP) as well as the Basis version of the back-end (4.6C, 620, 640 or 700+). The differences in numbering 
between these components makes it difficult to ascertain which support packs to apply. 


It is very important that the support pack level of the front-end Java component and back-end ABAP Real-Time 
Agent (RTA) are in sync. 


Use the information in the following SAP Note to ensure your system is appropriately patched and in synch: 
1352498% Support Pack Numbering - SAP Access Control. 


4.2 Preparing to Install SAP Access Control 12.0 


Install the access control solution on a standalone system as opposed to installing them along with an SAP 
Business Suite or with any SAP Business Suite components such as ERP, SCM, CRM, OR SRM. 
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4.3 SAP NetWeaver Components 


Depending on your landscape configuration, the following SAP NetWeaver components are available to install: 


Component Details 
Support Package Manager (SPAM) 7.40 or higher N/A 

SAP Basis 7.52 SPOO 
SAP ABA Cross Application Component 7.52 SPOO 
SAP. GWFND SAP - Gateway Foundation 7.52 SPOO 
SAP User Interface Technology 7.52 SPOO 
SAP BW - SAP Business Warehouse 7.52 SPOO 


DMIS 2010. 1 700 


2011 1 731 SP10 (or latest) 


(Optional) SAP NetWeaver Application Server Java for 
Adobe Document Services 


SAP NetWeaver Java is required to use Adobe Document 
Services. It must be available in the system landscape, but 
does not need to be installed on the same system as the ac- 
cess control solution. 


You must create and activate the following JCo destinations: 
e WD ALV METADATA DEST 
e WD ALV MODELDATA DEST 


It is essential to create Adobe Credentials; see SAP Note 
7369020. 


If problems occur in forms processing, see SAP Note: 
94422108 for troubleshooting. 


4.4 Java Components 


The Java components, SAP GRC Portal, and SAP GRC Portal Plug-Ins are supported on all SAP NetWeaver 
releases from 7.02 and higher. See the software compatibility matrix to determine the versions of SAP 
NetWeaver, SAP GRC Portal Content, and SAP GRC Portal Plug-Ins that work together. 


i Note 


The 10.0 version of the Java components is used with the SAP GRC 10.1 system and is also applicable for 


SAP Access Control 12.0. 
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4.5 Downloading and Installing Product Versions 


You use different tools to download and install product versions. 


We recommend that you use Software Provisioning Manager (in case of a new installation) or Software Update 
Manager (in case of a system update) in combination with the Maintenance Planner to download, install, and 
update product versions. This facilitates SAP NetWeaver-based application installations, system upgrades and 
updates (including support package stack updates), while offering a harmonized UI. 


Software Provisioning Manager and Software Update Manager are shipped as part of the software logistics 
toolset (SL Toolset) 1.0 — independently of the applications. You can download these tools from the download 
center on SAP Support Portal at http://support.sap.com/swdcfee. 


Maintenance Planner is the central point of access for all maintenance activities. It supports the installation of 
updates and upgrades and completely manages the maintenance activities for your whole solution. 
Maintenance Planner calculates the required software components, enables the download of archives, and 
creates a stack configuration file. You can find more information on SAP Help Portal at http://help.sap.com/ 
viewer/p/MAINTENANCE_PLANNER. 


4.5.1 Downloading SAP Access Control 12.0 


1. Goto the SAP Software Distribution Center on at https://support.sap.com/swdcfs . 
2. Download the access control solution. 


Software Downloads È Installations and Upgrades » A - Z Index » G + SAP GRC Access Control » SAP 
Access Control 12.0 


4.5.2 Installing the SAP HANA Plug-In 


Use 


Install the following Plug-In if you are using the SAP HANA database: 


Technical name HCO_GRC_PI 


Software Component Version SAP GRC 10.1 Plug-in SAP HANA or higher 
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Procedure 


You download this plug-in as follows: 
1. Goto https:/support.sap.com/swdcfee . 
2. Choose |» Software Downloads > Installations and Upgrades » A - Z Index » G » SAP GRC Access Control 


SAP Access Control > SAP Access Control 10.1 » Installation 
3. Select the HCO, GRC. PI download object. 


More Information 


For more information, see SAP Note 1597627% SAP HANA Connection. 
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5  Post-Installation 


After downloading and installing the files described in the previous sections, configure the product by following 
the post-installation sections in the order that they are presented. 


5.1 Activating the Applications in Clients 


Use 


After the installation is complete and the access control solution is in place, you must activate them in each 
client. 


Procedure 


Complete the following steps to activate the applications: 


1. Open the SAP Reference IMG iby going to| Tools + Customizing » IMG » Execute Project (transaction 
SPRO) 
. Display the SAP Reference IMG. 


Choose | Governance, Risk, and Compliance » General Settings » Activate Applications in Client 
. Execute Activate Applications in Client. 


O0 R0 Nh 


Activate an application component:by following the steps below: 

1. Choose the New Entries pushbutton. 

2. Select an application component from the dropdown list. 

3. Inthe Active column, select the check box for each application that you want to use. 
The application component activation is now complete. 


1. Choose the New Entries pushbutton. 
2. Select an application component from the dropdown list. 
3. Inthe Active column, select the check box for each application that you want to use. 


The application component activation is now complete. 
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5.2 Checking SAP ICF Services 


Use 


Specific Internet Communication Framework (ICF) SAP Services, and SAP GRC services need to be activated. 
They are inactive by default after an installation or an upgrade. Check that all the relevant services are active. 


For more information about activating these services, see SAP Note 1088717, Active services for Web Dynpro 
ABAP in transaction SICF. 


Procedure 


1. Activate each of the following ICF service nodes: 


o 


O 


o 


/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 
/sap/publ 


i Note 


ic/bc 

ic/bc/icons 
ic/bc/icons rtl 
ic/bc/its 
ic/bc/pictograms 
ic/bc/ur 
ic/bc/webdynpro 
ic/bc/webdynpro/mimes 
ic/bc/webdynpro/adobeChallenge 
ic/bc/webdynpro/ssr 
ic/bc/webicons 


ic/myssocntl 


You can also activate all ICF services within: 


O /sap/public 


O /sap/bc 


O /sap/grc 


2. Activate all GRAC services. 
3. Activate all services under /sap/bc/webdynpro/ sap. 
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5.3 Configuring the SAP NetWeaver Gateway 


Use 


In order to use some of the new functionality in the access control solution, such as the Remediation View in 
SAP Access Risk Analysis, an SAP NetWeaver Gateway connection must be established. Follow these steps to 
maintain or verify the connector. 


Procedure 


20 


Logon to an SAP NetWeaver system and access the SAP Reference IMG as follows: from the SAP Easy 


Access menu, choose | Tools + Customizing + IMG » Execute Project (transaction SPRO) 


. Choose |» SAP Reference IMG » SAP NetWeaver » Gateway » OData Channel » Configuration 


Connection Settings + SAP NetWeaver Gateway to SAP System 


Choose Manage RFC Destinations and create an RFC (communication) destination that points to the 
system itself. 


A Caution 
Be sure to specify the proper RFC Type, client, and user information using the naming convention: 


«System SID>CLNT<Client Number>; for example, GD1CLNT200. 


. If you are using Single-Signon, choose Define Trust for SAP Business Systems. Complete the fields with the 


information you provided in the Step 3. 
i Note 
This step only applies if you are using Single-Signon. 


Choose Manage SAP System Aliases to create the system alias for the RFC destination that you created in 
Step 3. 


Choose New Entries and enter the following values: 


Field Name What You Enter 

SAP System Alias Enter the name of the RFC destination that you created in 
Step 3. 

Description Enter a description that is meaningful to your installation. 
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Field Name What You Enter 


RFC Destination Enter the name of the RFC destination that you created in 
Step 3. 
Software Version Choose the value DEFAULT from the drop down list. 


7. Save your entries. 

8. If required, choose Activate or Deactivate SAP NetWeaver Gateway to activate the SAP NetWeaver Gateway 
Services. 

9. Choose |» SAP NetWeaver » Gateway + OData Channel » Administration » General Settings 

10. Choose Activate and Maintain Services. The system displays a list of all the services that have been created 
in the backend system. 

11. Click to select the Technical Service GRAC_GW_VIOLSUMM_REM_SRV. 

12. In the System Aliases section (bottom right-hand corner), click Add System Alias. 


13. Enter GRAC_GW_VIOLSUMM_ REM SRV_0001 as the Service Doc. Identifier. 

14. For the SAP System Alias, enter the system alias name that you created in Step 6. 

15. Click the check box for Default System. 

16. Save your entries. 

17. On the Activate and Maintain Services screen, in the ICF Node section (bottom left-hand corner), verify that 
the traffic light in front of the ICF Node is green. If it is not, click the ICF Node field and select Activate from 
the ICF Node dropdown menu. 

18. If required, Save your settings. 

19. You may need to perform additional activations depending on what has already been activated in your 
environment. To do so, on the Activate and Maintain Services screen, repeat steps 11 through 18 for the 
following services: 


Technical Service Name External Service Name Service Doc Identifier 

/IWFND/SG_MED_CATALOG CATALOGSERVICE /IWFND/SG_MED_CATALOG_0001 

/IWFND/SG_USER_SERVICE USERSERVICE /IWFND/SG_USER_SERVICE_000 
i Note 


This step is optional. It may not be required in some environments where the services have already 
been activated. 


More Information 


For more information, see the SAP Help portal at http://help.sap.comf$e and search for: SAP NetWeaver 
Gateway Developer Guide. Then choose |» OData Channel » Basic Features » Service Life-Cycle » Activate and 


Maintain Services 
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5.4 Maintaining System Data 


Complete the Add-On Product Version in your system data application so that customer support can see 
access control solution implemented in your environment. 


Procedure 


1. Goto SAP Support Portal at https://support.sap.com/en/index.htm |e |» My Support » Systems & 
Installations » System Data » Manage Systems 

. Use the search function provided to select an installed SAP system.. 

On the System tab, scroll down to the Add-On/Enhancement Pack section. 

. Insert a line. 

Select the SAP Access Control 12.0 package from the list. 

Save your changes. 


NOOR WN 


Repeat this procedure for all SAP systems. 


5.5 Maintaining Plug-in Settings 


Use 


Once you install the plug-in components, Non-HR (GRCPINW), and, optionally, HR (GRCPIERP), you must 
maintain the plug-in user exit and configuration settings. 


Procedure 


In the IMG activity below, you maintain the user exit settings that are required to run Risk Terminator in Role 
Maintenance (transaction PFCG). Risk Terminator enables real time risk analysis while making changes to role 
authorizations or role assignments in the Plug-In system. 


1. Open the SAP Reference IMG from |> Tools + Customizing > IMG > Execute Project (transaction SPRO) 
2. Display the SAP Reference IMG. 
3. Open |> Governance, Risk, and Compliance (Plug-In) + Access Control 
4. Maintain the necessary IMG activities for your system according to the instructions in the IMG 
documentation that is located at the left of each of the following IMG nodes: 
o Maintain User Exits for Plug-in Systems 
Administrator Guide: SAP Access Control 12.0 
22 PUBLIC 


Post-Installation 


o Maintain Plug-in Configuration Settings 


5.6 Activating Crystal Reports 


To use the Crystal Reports function, activate the flag Allow Crystal Reports in Customizing under |» SAP 
NetWeaver » Application Server » SAP List Viewer (ALV) > Maintain Web Dynpro ABAP-Specific Settings 


5.7 Activating BC Sets 


BC sets are delivered implementation toolsets that simplify the Customizing process. You activate Business 
Configuration (BC) sets after the software is installed. 


A Caution 


You can activate a BC set only if that client is not a production client. When you activate the BC set, all data 
in the BC set is transferred into the corresponding tables and any existing entries are overwritten. 


-> Recommendation 


Always consult with the functional experts for your application before activating any of the BC sets. 


See SAP Solution Manager for information about Customizing activities at https://support.sap.com/ 
solutionmanagerfér . 


For more information about BC sets, see https://help.sap.com/viewer/p/SAP NETWEAVER 750. 


Procedure 


1. From the SAP Easy Access screen, choose | Tools + Customizing » IMG » Execute Project + SAP 
Reference IMG 

2. Choose Existing BC Sets from the toolbar in the Implementation Guide to identify all of the IMG activities 
that have BC sets. 


3. Select one of these IMG activities and choose the BC Sets for Activity button. 
The system displays the contents of the BC set in a new window. 


4. To activate this BC set, choose the pull-down menu | Go to » Activation Transaction 

5. Select the icon for Activate BC Set (or use F7). 
The Activation Options screen opens. 

6. Choose Continue. 
A completion message appears: Activation successfully completed. |f a yellow informational message 
appears, choose Enter and then the completion message appears. 
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¡Note 


A message with a yellow background is only a warning and you can proceed. A message with a red 
background is an error message and you must resolve the error. If you receive a Basis error message 
with a red background, contact your system administrator. 


5.7.1 SAP Access Control BC Sets 


The following tables list the BC sets for the access control solution categorized by type. BC sets marked with an 
asterisk (*) indicate that you can also activate them in Customizing. 


-> Recommendation 


Always consult with the access control solution functional experts before activating the BC sets for rules 
such as Segregation of Duties (SoD)to determine which rule sets are relevant for your implementation. 


BC Set 


Specific to Access Risk Analysis 


BC Set Name 


GRAC RA RULESET COMMON SoD Rules Set 

GRAC RA RULESET JDE JDE Rules Set 

GRAC RA RULESET ORACLE ORACLE Rules Set 

GRAC RA RULESET PSOFT PSOFT Rules Set 

GRAC RA RULESET SAP APO JDE Rules Set 

GRAC RA RULESET SAP BASIS SAP BASIS Rules Set 
GRAC RA RULESET SAP CRM SAP CRM Rules Set 
GRAC RA RULESET SAP ECCS SAP ECCS Rules Set 

GRAC RA RULESET SAP HR SAP HR Rules Set 

GRAC RA RULESET SAP NHR SAP R/3 less HR Basis Rules Set 
GRAC RA RULESET SAP R3 SAP R/3 AC Rules Set 
GRAC RA RULESET SAP SRM SAP SRM Rules Set 

GRAC RA RULESET S4HANA ALL Rule set for risk analysis integration with Fiori Apps on S/ 


AHANA on-premise systems. 


Specific to Access Request Management 
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BC Set BC Set Name 

GRAC_ACCESS REQUEST REQ TYPE* Request Type 

GRAC ACCESS REQUEST EUP* EUP (Note: Only the value EU ID 999 is valid for this 
BC set.) 

GRAC ACCESS REQUEST APPL MAPPING* apping BRF Function IDs and AC Applications 

GRAC ACCESS REQUEST PRIORITY* Request Priority 


GRAC DT REQUEST - 


DISPLAY SECTIONS 


Simplified Access Request Display Sections 


GRAC DT REQUEST - 


FIELD LABELS 


Simplified Access Request Field Labels 


GRAC DT REQUEST 


PAGE 


SETTINGS 


Specific to Business Role Management 


Simplified Access Request Page Settings 


GRAC ROLE MGMT SENTIVI TY* 


Sensitivity 


GRAC ROLE MGMT METHODOLOGY* 


ethodology Process and Steps 


GRAC ROLE MGMT 


ROLE STATUS* 


Role Status 


GRAC ROLE MGMT 


PRE REQ TYPE* 


Prerequisite Types 


GRAC ROLE SEARCH COFIGURATION 


Role Search Configuration for Access Request 


Specific to Superuser Management 


GRAC SPM CRITICALITY LEVEL* 


Criticality Levels 


Specific to Workflow 


GRC MSMP CONFIGURATI ON* 


MSMP Workflow Configuration Rules Set 


5.8 Run Role Name Conversion Program 


Customers may use varied standards when naming roles in their landscape. This may result in failed role 
searches when submitting access requests. The below program is used to convert roles into upper case to 


improve search. 


Run the GRAC ROL 


i" 


NAM 


issues from role name mismatch. 
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5.9 SAP Enterprise Portal Configuration 


5.9.1 Creating a System Connection with the SAP Enterprise 
Portal 


For information about how to create an SAP Enterprise Portal system connection for access control solution, 
see: https://help.sap.com/viewer/p/SAP_NETWEAVER_750 > SAP Enterprise Portal. 


SAP provides a set of sample roles that include the recommended authorizations. You can create your own 
PFCG roles or copy the sample roles to your customer namespace and then modify them as needed. 


For more information about the delivered roles, see the Security Guide for SAP Access Control 12.0 at https: // 
help.sap.com/viewer/p/SAP_ACCESS_CONTROL. 


5.9.2 Portal Configuration for SAP Access Control Users 


The list below contains the system and portal aliases roles that you configure if you only have SAP Access 
Control in your system landscape. 


e System Aliases: 

o The system alias must use SAP-GRC, SAP-GRC-AC, and SAP GRC. 
* Portal Roles: 

o Assign the role GRC ACCESS CONTROL to users. 


o Assignthe role ERP COMMON to everyone in the user group. 


i Note 


For SAP Access Control only environments, you must assign the GRC Access Control role to at least one 
user. 
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5.9.3 Portal Configuration for SAP Solutions for GRC- 
Licensed Users 


The access control solution is part of a GRC suite. If your system landscape contains more than one GRC 


component (SAP Access Control, SAP Process Control, or SAP Risk Management), you configure the system 


aliases and portal roles as follows: 


System Aliases 


GRC Component 


IFSAP Access Control is activated: 


System Alias Configuration 


SAP GRC. 


The system alias must use SAP-GRC, SAP-GRC-AC, and 


If SAP Process Control is activated: 


SAP GRC 


he system alias must use SAP-GRCand SAP-GRC- PC, and 


If SAP Risk Management is activated: 


he system alias must use SAP-GRC and SAP-GRC-RM, and 


SAP GRC. 
Portal Roles 
Assign to Role Name 
User GRC SUITE 
Everyone in the user group ERP COMMON 


User, if needed 


GRC Internal Audit Management 


5.9.4 Creating the Initial User in the ABAP System 


The access control solution uses various roles to interface with the SAP system. This section explains how to 


create your initial ABAP system user for SAP Access Control. 


i Note 


This section uses the delivered roles as examples only. As you complete the procedure, you must replace 


the delivered roles with equivalent roles in your customer namespace. 


Procedure 


1. Assign all access control users the role SAP GRAC BASI 


applications. 


E so they can access the access control 


2. Assign the role SAP GRAC ALL to the user who will perform Customizing. This role is the power user role. It 


gives the designated user the ability to see and do everything without being assigned to a specific SAP 
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Access Control role. This role is typically assigned to the user who creates the organization structures and 
assigns the business roles to all the other users. 


i Note 


The role does not contain the authorizations for Workflow Customizing, Case Management, or web 
services activation. For these authorizations, use the role SAP GRAC SETUP. 


A Caution 


Assign the SAP GRAC ALL role carefully, since a user assigned to this role can make pervasive 
changes. 


For more information on the SAP GRAC ALL role and its authorizations, see the Security Guide at: 
https://help.sap.com/viewer/p/SAP. ACCESS CONTROL. 


Using transaction sU01, create a user. 


If this user needs to receive workflow notifications via e-mail, on the Address data tab, assign an e-mail 
address and a Comm. Meth of E-Mail to the user. 


On the Roles tab, assign the roles SAP GRAC BASE and SAP GRAC ALL to this user. 


This user can now use transaction SPRO to complete the Customizing configuration including such steps 
as activating the Business Configuration (BC) sets and assigning roles to other users 


5.9.5 Creating the Initial User in the SAP Enterprise Portal 


The navigation tabs and work centers for SAP Access Control are defined in the portal roles that are maintained 
in the SAP GRC portal package. 


After creating the portal user, the portal administrator must assign to that user the SAP GRC portal roles. 
These portal roles enable the user to see the SAP GRC navigation and work centers tabs. 


i Note 


This section uses the delivered roles as examples As you complete the procedure, you must replace the 
delivered roles with equivalent roles in your customer namespace. 


Procedure 


ll. 
2. 
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Log on as the portal user administrator and access the User Administration function. 

If a user has already been created by the User Management Engine (UME) that is connected to the SAP 
GRC ABAP system, you do not need to create a user in the portal system. 

If a user has not been created by the User Management Engine (UME), create a new portal user and 
assign the SAP GRC ABAP system to the user in the User Mapping for System Access tab, along with a 
mapped user ID and password. 


Go to the Assigned Roles tab and assign the role GRC Suite (name: pcd:portal content/ 


com.sap.pct/com.sap.grc.grac/com.sap.grc.ac.roles/com.sap.grc.ac.Role All) tothe 
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user who has the power user role SAP_GRAC_ALL in the ABAP system. This role enables the power user to 


view the work centers. 


More Information 


For more information about the visibility of work centers, see the Security Guide at: https: //help.sap.com/ 
viewer/p/SAP ACCESS CONTROL. 


This information is based on the technologies delivered by SAP NetWeaver Portal. For more information, see 
the Portal Security Guide athttp://help.sap.com/saphelp. spm21 bw/helpdata/en/5c/ 
429f00214aa54195b1c63ae1512d10/frameset.htmfe . 


5.10 Setting Up SAP Fiori Launchpad Content for Front-end 
System 


The SAP Fiori Launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as 
navigation, personalization, embedded support, and application configuration. SAP Access Control 12.0 SPOO 
delivers a set of SAP Fiori business catalogs that enable you to open the Web Dynpro Access Control 
applications in the launchpad. 


This section describes the procedure to add the access control business catalogs to your launchpad. The 
procedure is relevant only for landscapes using SAP Fiori Launchpad. 


The access control back-end component contains the technical catalog containing information about the tiles, 
which we call the app descriptors. The front-end component UIGRACO1 100 contains the business catalogs 
and business roles. We replicate the technical catalog from the back end into the front end to establish a 
connection between the technical catalog and the business catalog. 


Prerequisite 


You have installed the front-end component UIGRACO1 100. The component contains the contains the 
business catalogs and business roles for SAP Access Control 12.0. 


There are three main steps to configuring the business catalogs for access control: 


l. Create RFC Connections 
2. Mapthe RFC Connections 
3. Replicate the Technical Catalog from the Back-end System 


These steps are described in more detail in the sections below. 


For additional information, see Implementation Tasks on the Front-end Server in the Ul Technology Guide for 
S/AHANA. 
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Create RFC Connections 


T. 


In the front-end system start transaction SM59. 


2. Create two RFC connections: one of type ABAP Connection andoneoftypeH - HTTP connection to 


ABAP System 
Use the following naming conventions: 
© ABAP connection: «Logical System Alias» RFC 


Oo HTTP connection: «Logical System Alias» HTTP or «Logical System Alias» HTTPS 
— Recommendation 
We recommend using an HTTPS connection. Set the SSL option to Active. 


For the ABAP connection, set Trusted Relationship set to Yes, and set the Current User to True. 


For each connection, enter the Target Host under Technical Settings, and configure the settings under 
Logon & Security. 


Map the RFC Connections 


1. Open the maintenance view /UI2/V ALIASMAP. 


2. Mapthe connections in table: /UI2/SYSALIASMAP . 


Map the connections as follows: 


Client Source System Alias Target System Alias 


«Your Front-end Client» SOHGRAC «Logical System Alias» 


Replicate the Technical Catalog from the Back-end System 


30 


Launch the report /UI2/GET APP DESCR REMOTE DEV. 


2. Enter the following values: 

Replication System Alias: SOHGRAC 

Back-end Technical Catalog ID: SAP TC GRC AC BE APPS 

Select the Test Mode, and choose Execute to test the configuration. The catalogs are not be replicated in 
test mode. A log is displayed showing the results. 


If the log does not contain any errors, deselect Test Mode and choose Execute to replicate the business 
catalogs. 


Recommendation 


We recommend scheduling the report to run daily. As the report needs to run after every system 


update, scheduling the report to run daily ensures that you have up-to-date information in the SAP Fiori 
launchpad designer. 
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5.10.1 Business Catalogs and Roles for the Fiori Launchpad 


The following business catalogs and business roles are delivered as part of the front-end component UIGRACO1 


100. 


Delivered Business Catalog Roles 


Depending on your business requirement you can assign the following delivered roles to your users: 


¡Note 


These roles are examples. You can copy them to your own namespace or create your own. 


Delivered Business Catalog Role 
SAP_GRAC_BCR_CMPLNCMGR_T 


SAP GRAC BCR EMPLOYEE T 


Description 


Compliance Manager 


Access Control Employee 


SAP GRAC BCR MANAGER T 


Request Approver 


SAP GRAC BCR REQADMINTR T 


Access Control Administrator 


SAP GRAC BCR SCRTYMGR T 


Security Manager 


Delivered Business Catalogs 


These are the corresponding delivered business catalogs. 


Delivered Business Catalog Role 


SAP GRAC BCR CMPLNCMGR T 


Description 


Compliance Manager 


SAP GRAC BCR EMPLOYEE T 


Access Control Employee 


SAP GRAC BCR MANAGER T 


Request Approver 


SAP GRAC BCR REQADMINTR T 


Access Control Administrator 


SAP GRAC BCR SCRTYMGR T 


Administrator Guide: SAP Access Control 12.0 
Post-Installation 


Security Manager 


PUBLIC 


31 


5.11 Implement SAP Note: 2641804 


After installation or upgrade you may need to refresh the CDS configuration. 


Symptoms may include Fiori Launchpad or applications via NWBC taking a long time to open or the session 
timing out. 


To resolve the issue, implement SAP Note 26413044. 
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6 Operations 


6.1 Monitoring of the Application 


To monitor the access control solution, you can use Computing Center Management System (CCMS). The 
CCMS provides a range of monitors for monitoring the SAP environments and its components. These monitors 
are indispensable for understanding and evaluating the behavior of the SAP processing environment. In the 
case of poor performance values, the monitors provide you with the information required to fine tune your SAP 
system and therefore to ensure that your SAP installation is running efficiently. The transaction code is RZ20. 


For information on setting up and using CCMS, see the following: 
https://help.sap.com/viewer/p/SAP_NETWEAVER_750 
Solution Life Cycle Management 


Monitoring in the CCMS 


6.1.1 Monitor Templates 


You use monitor templates to specify files and search patterns to be checked for the access control solution in 
your system landscape. 


Monitor Templates 


Monitor Type Name 


CCMS Monitor Templates Background Processing 
Performance Overview 


Syslog 


SAP Web Service Monitor Template Web Service Monitor 
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6.1.2 Alert Monitoring with CCMS 


Proactive, automated monitoring is the basis for ensuring reliable operations for your SAP system 
environment. SAP provides you with the infrastructure needed to set up your alert monitoring to recognize 
situations for the access control solution. 


-> Recommendation 


To enable the auto-alert mechanism of CCMS, see SAP Note 617547 ir. 


6.1.2.1 Component Specific Monitoring 


You use CCMS to monitor the following data for the access control solution: 


e Background job 

e Performance Overview 
e DBaccess time 

e System log 

e System errors 

e Web Services Call 


Background Jobs 


Monitor the background job status for jobs that are aborted, canceled, or have been running for a long time. 


You can check the details of canceled jobs by selecting a job and clicking Step. 


iNote 


The Program name/command for the access control solution start with GRAC. 


Performance Overview 


In the Performance Overview templates, look for processes with a high Response Time. The access control 
solution processes begin with GRAC. 
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System Logs 


Monitor system logs for any errors, such as System Log (Syslog): Local Analysis and R3Syslog. The R3Syslog 
displays runtime errors. 


You can review the transaction codes for the access control solution for errors. You can get the complete list of 
access control transaction codes with transaction code SE93. Search for GRAC*. 


Some of the most used codes include: 
Access Control Transaction Codes 


Transaction Code Description 


NWBC Access the majority of the Access Control capabilities and 
reports (role: SAP_GRC_NWBC) 


GRAC_ALERT_GENERATE Alert generation 

GRAC_BATCH_RA Risk Analysis in Batch Mode 

GRAC_EAM Emergency Access Management (EAM) Launchpad Logon 
GRAC_SPM_CLEANUP Cleanup EAM (SPM) Application Data 
GRACRABATCH_MONITOR Batch Risk Analysis Monitor 


System Errors 


You review the CCMS Monitor Templates (System Errors) for error messages, such as Aborted Batch Jobs and 
Update Errors:. 


Web Services 


Monitor the SAP Web Service Monitor Templates for web service errors, such as: 
e Task Watcher 

e Supervisor Destination 

e Web Services Reliable Messaging (WSRM) Event Handler 

e Web Services (WS) Namespace for Inbound Destinations 

e WS Service Destinations 
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6.1.3 Detailed Monitoring and Tools for Problem and 
Performance Analysis 


The access control is based on SAP NetWeaver Web Application Server 7.52, and uses the tools included with 
SAP NetWeaver for analysis of items such as database, operating system, and workload. 


In this section, we list the specific application log subobjects used by the access control solution. 
To view Job Logs, use transaction SM37. 
To view Work item Logs, use transaction SWI1. 


For information about technical problem analysis within an SAP NetWeave landscape, see Technical Operations 
Manual for SAP NetWeaver. 


6.13.1 Trace and Log Files 


You use SAP NetWeaver transactions, such as ST22 and SM2, to monitor trace and log files. The archiving 
object for Access Control is GRAC_REQ. 


Application Logs 


The access control solution uses the SAP NetWeaver application logs to store application errors, warnings, and 
success messages issued in critical processes. For example, Ul transactions messages are stored in the SAP 
NetWeaver application log. The application logs can be monitored with transaction SLG1. 


The following tables list the log subobjects. The Access Control log object is GRAC. 


Access Control Log Subobjects 


Log Object Log Subobjects Description 

GRAC AUTH Authorization check 

GRAC BATCH Batch risk analysis 

GRAC HRTRIGGER HR trigger 

GRAC SOD_RISK ANALYSIS Segregation of Duties (SOD) Risk Anal- 
ysis 

GRAC SPM Emergency Access Management log 

GRAC UAR User Access Review (UAR) 


The following table lists the GRC shared log subojects. The shared components log object is GREN. 
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GRC Foundation (shared) Log Subobjects 


Log Object Log Subobjects Description 

GRF AC PROV Access Control Provisioning Engine 

GRF AC REP Access Control Repository 

GRF API GRC API logging 

GRF ASYNC_UPDATE Asynchronous Update Infrastructure 

GRF AUTH GRC authorization 

GRF CASE INT Continuous monitoring case integration 

GRF FDS Continuous monitoring flexible data 

store 

GRF HRMAINT Access to HR ORG maintenance 

GREN IO EXPORT 10 Export 

GREN IO IMPORT IO Import 

GRFEN IO META IO Metadata 

GREN JOB AMF Job Step Execution 

GREN JOB_DESIGN AMF Job Step Design Time 

GREN DCHECK Master Data Consistency Check 

GREN IGRATION GRC migration 

GREN SMP WF CN ulti-Stage Multi-Path (MSMP) Work- 
mE flow — Configuration 

GREN SMP WF NT ulti-Stage Multi-Path (MSMP) Work- 
n flow — Notification 

GREN SMP WF RT ulti-Stage Multi-Path (MSMP) Work- 
o flow — Runtime 

GREN OWP Offline Workflow Process 

GREN POLICY Policy Management 

GRF REPLACEMENT GRC replacement 

GRF REP_ENGINE Reporting engine 

GRF RISK AGGR Risk Aggregation 
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Log Object Log Subobjects Description 


GREN RM_ BANKING Operational Risk Management for 
Banking Industry 


GREN SURVEY Survey planning 


For more information about application logs, see https://help.sap.com/viewer/p/SAP_NETWEAVER_750 
Solution Life Cycle Management » Application Log 


Job Logs 


You can view job logs using transaction SM37. 


Workflow Item Logs 


You can view the workflow item logs using transaction SWI1. 


For more information on workflows, see SAP Workflow Administration at http://help.sap.comPls. 


6.1.4 Important Application Objects 


We recommend you monitor the following access control solution objects: 


Objects to Monitor 


Object Tools Description 


Process Overview Transaction SM50 The monitor tracks the amount of time 
critical processes such as dialog (DIA), 
update (UPD), or background (BGD) 
have been running. Processes that have 
been running too long are shown in red 
in the runtime column. 


Ensure there are enough background 
work processes on the GRC system. 
You can use operation mode to switch 
work processes. 
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Object Tools 


Background Process Transaction SM37 


Description 


Select the jobs by job name, user name, 
status, and time period to display a sta- 
tus overview of scheduled jobs. Look for 
any canceled jobs. 


Application Logs Transaction SLG1 


Enable the application logs for potential 
risk areas. 


For more information, see Trace and 
Log Files. 


CCMS Transaction RZ20 


onitor the following: 


e SAP buffer configuration 

e Database workload 

e Operating system workload 

e System logs for errors 

e System errors for application 
dumps 

e Workload analysis for any perform- 
ance issues 


Shared Objects Memory Transaction SHMM 


Workflow event queue SWEQADM 


Transaction SHMM provides an overview 
of the area instances in the shared ob- 
jects memory of the current application 
server. 


Use the event queue to delay the start- 
ing of receivers reacting to a triggering 
event. This spreads the system load 
over a longer time period to combat the 
threat of system overload. The system 
administrator sets the event queue. 


SICF Transaction SICF 


SIGS Transaction SIGS 


Use this transaction to activate Internet 
services, Web services, and Web Dyn- 
pro. 


Use this transaction to view the status 
of IGS services and the required param- 
eters. 
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6.2 Managing the Application 


SAP provides you with an infrastructure to help your technical support consultants and system administrators 
manage all SAP components and complete tasks related to administration and operation. 


6.2.1 Starting and Stopping 


The access control solution is provided as add-on components for SAP NetWeaver. You start and stop them 
with SAP NetWeaver Web Application Server. 


-> Recommendation 


For more information about STARTSAP/STOPSAP and SAPMMC, see the Technical Operations Manual for 
SAP NetWeaver 


6.2.2 Backup and Restore 


You need to back up your system landscape regularly to ensure that you can restore and recover it in case of 
failure. All application data for the applications reside in the underlying database. 


The applications rely on the SAP NetWeaver ABAP standard capabilities for the technical operations. The 
configuration data is stored in the Implementation Guide (IMG) database tables. These settings are established 
during the Customizing activities during implementation (transaction SPRO). 


¡Note 


If you use a document management system (DMS) that stores data outside of the underlying database, 
refer to the backup and restore recommendations for that DMS. 


6.2.3 System Copy 


The access control solution uses the standard tools and procedures of SAP NetWeaver. 


¡Note 


A client copy from one system into another system with a different operating system or database is not an 
alternative to a complete heterogeneous migration. For example, client copies do not ensure that all 
repository changes are taken over into the new system. Therefore, if you want to change your database or 
application server platform, a heterogeneous system copy is the only procedure that ensures full data 
replication. 


Administrator Guide: SAP Access Control 12.0 
40 PUBLIC Operations 


For more information, see SAP OS/DB Migration Check at https://support.sap.com/osdbmigration#ar 


6.2.4 Periodic Tasks 


In addition to the standard jobs mentioned in the Technical Operations Manual for SAP NetWeaver, access 
control specific jobs must be scheduled in your system. Run all jobs, unless otherwise specified, at times of 
minimal system activity (so as not to affect performance or otherwise disrupt your daily operations). All jobs 
can be restarted. There are no dependencies between the jobs. 


6.2.4.1 Scheduled Periodic Tasks 


This information describes the tasks required to keep the application running smoothly. You can configure the 
tasks to automatically run. It is important that you monitor the execution of these tasks on a regular basis. The 
tasks are scheduled using transaction SM36, except for the Background Job for Missed Deadlines, which uses 
transaction SWU3. 


Scheduled Periodic Tasks 


Program Name/Task Recommended Frequency Description 
Schedule Background Job for Missed Every 3 minutes Specify a time interval at which the back- 
Deadlines ground job is called regularly. With each exe- 


cution, the background job checks whether 
new deadlines have been missed since the 
last time it ran. 


Schedule Job for Sending E-Mail Every 3 minutes This program checks whether there are new 
work items for Process Control and Risk Man- 
agement, and determines the e-mail ad- 
dresses of the work item recipients. 


GRFN AM JOBSTEP MONITOR Hourly The monitoring program to update job / job 
step status. 


Transfer Work Items to Replacement Daily The program transfers work items from users 
that are no longer working in Process Control 
and Risk Management to the replacement 
users entered in the system for these users. 


Maintain DataMart Daily Schedule the report 
GRFN DATAMART MAINTAIN. This can be 
used for maintaining and uploading the data 
to DataMart. 
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6.2.4.2 Synchronization Tasks 


The following tasks are accomplished through the Customizing activities (transaction SPRO) found at |» SAP 


Reference IMG » Governance, Risk, and Compliance » Access Control » Synchronization Jobs 


Refer to the documentation next to each activity for detailed directions. 


iNote 


The frequencies are recommendations. Adjust them according to your business need. For example, when 
you are first implementing the product, you might want to run these tasks more often. 


Synchronization Tasks 


Customizing Task Name Recommended Frequency Transaction 
Authorization Synch Weekly GRAC AUTH SYNC 
Repository Object Synch Daily GRAC REP OBJ SYNC 


(includes Profile, Role and User Synchroni- 


zation) 

Action Usage Synch Daily GRAC ACT USAGE SYNC 
Role Usage Synch Daily GRAC ROLE USAGE SYNC 
Firefighter Log Synch Daily GRAC SPM LOG SYNC 
Firefighter Workflow Synch Daily GRAC SPM WF SYNC 
Fetch IDM Schema as needed GRAC IDM SCHEMA SYNC 
EAM Master Data Synch as needed GRAC SPM SYNC 


6.2.5 User Management 


The access control solution uses SAP NetWeaver for user management. 


For more information, on user roles and authorizations, see the Security Guide at https://help.sap.com/ 
viewer/p/SAP. ACCESS, CONTROL 
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6.3 Data Archiving and Management 


The access control solution uses the SAP Information Lifecycle Management (ILM) framework to maintain data 
protection and archiving. 


For information on using ILM, and on the access control data and archiving objects, see the Security Guide for 
SAP Access Control 12.0. 


6.4 High Availability and Load Balancing 


The access control solution uses the SAP NetWeaver framework and tools for high availability and load 
balancing. 


For more information, see the Technical Operations Manual for SAP NetWeaver 


6.5 Software Change Management 


Software Change Management standardizes and automates software distribution, maintenance, and testing 
procedures for software landscapes and multiple software development platforms. These functions support 
your project teams, development teams, and application support teams. 


Software Change Management establishes solution-wide change management that allows for specific 
maintenance procedures, global rollouts (including localizations), and open integration with third-party 
products. 


This section provides additional information about the most important software components. 


The following topics are covered: 


e Transport and Change Management: 
Enables and secures the distribution of software changes from the development environment to the quality 
assurance and production environment. 

e Development Request and Development Release Management: 

Enables customer-specific maintenance procedures and open integration with third-party products. 

e Template Management: 

Enables and secures the rollout of global templates, including localizations. 

e Quality Management and Test Management: 

Reduce the time, cost, and risk associated with software changes. 
e Support Packages and SAP Notes Implementation: 

Provide standardized software distribution and maintenance procedures. 
e Release and Upgrade Management: 

Reduces the time, cost, and risk associated with upgrades. 
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6.5.1 Transport and Change Management 


For transport and change management issues, the procedures of SAP NetWeaver apply. 


| -> Recommendation 


For more information, see Technical Operations Manual for SAP NetWeaver. 


6.5.2 Development Requests and Development Release 
Management 


The standard procedures of SAP NetWeaver apply. 


For more information, see Technical Operations Manual for SAP NetWeaver. 


6.5.3 Support Packages and Patch Implementation 


We recommend you implement Support Package Stacks (SP-STACKS), which are sets of Support Packages 
and patches for the respective product version that must be used in the given combination. 


Read the corresponding Release and Information Notes (RIN) before you apply any Support Packages or 
Patches of the selected SP-Stack. 


The RIN and support packages are available at the SAP Support Portal: http://support.sap.com/patchesfie . 


6.6 Troubleshooting 


The access control solution is an add-on component for SAP NetWeaver and uses the same troubleshooting 
tools for the SAP NetWeaver Application server. 


For more information, go to the SAP Support Portal > Tools at http://support.sap.comél». 


iNote 


When reporting any issues for troubleshooting, use component GRC-SAC. 
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6.6.1 Configuring Remote Connection to SAP Support 


SAP offers access to remote support and remote services. You have to set up a remote network connection to 
SAP. 


For information on how to setup and use Remote Connections, go to https://support.sap.com/ 
remoteconnectionsPy. 


Read-Only Role 


For remote support from SAP, a support user must have read-only access to the support tools. Since these 
applications are built upon the NetWeaver ABAP stack, a support user can use the SAP standard CSS remote 
support tool which is accessible through the SAPGUI or web browser. 


The access control solution uses this read-only role: SAP_GRAC_DISPLAY_ALL. 


6.6.2 Support Components 


You can use the following components information when requesting support for the access control solution. 


Component Description 

GRC-SAC-ARA Access Risk Management 
GRC-SAC-ARQ Access Request 

GRC-SAC-BRM Business Role Management 
GRC-SAC-EAM Emergency Access Management 


6.7 Categories of System Components for Backup and 
Restore 


Categories of System Com- Category Properties Suggested Methods for Examples 
ponents Backup and Restore 


| Only software, no configura- No backup, new installation BDOC modeler 
tion, or application data in case of arecovery 


Initial software backup after 
installation and upgrade 
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Categories of System Com- Category Properties Suggested Methods for Examples 
ponents Backup and Restore 
Backup of log files 
Il Only software and configura- Backup after changes have SAP Gateway 
tion information, no applica- been applied 
tion data 
No backup, new installation, Communication Station 
and configuration in case of a 
recovery 
Backup of log files SAP Business Connector, 
SAP IPC (2.0C) 
Hl Only replicated application Data SAP IMS/Search 
data, replication time is suffi- 
ciently small for a recovery o data backup needed Engine 
Backup of software, configu- SAP IPC (2.0B) 
ration, log files 
IV Only replicated application Data SAP IMS/Search 
data, backup recommended 
because replication time is Application specific file sys- Engine 
too long, data not managed tem backup or 
by a DBMS 
ultiple instances Web server 
Backup of software, configu- | SAP IPC (2.0B) 
ration, log files 
V Only replicated application Data SAP IPC (2.0B) 


data, backup recommended 
because replication time is 
too long, data managed by a 
DBMS 


Database and log backup or 


ultiple instances 


Catalog Server 


Web server 


Backup of software, configu- 
ration, log files 


SAP IPC (2.0B) 


Categories of Systems Category Properties Suggested Methods for Examples 
Components Backup and Restore 
VI Original application data, Data Web Server 
standalone system, data not m "— 
Application specific file sys- 
managed by a DBMS 
tem backup 
Backup of software, configu- 
ration and log files 
Administrator Guide: SAP Access Control 12.0 
46 PUBLIC Operations 


Categories of Systems 


Category Properties 


Suggested Methods for 


Examples 


Components Backup and Restore 
Vil Original application data, Data none available 
tandal tem, dat 
sicubi ind MR MOD Database and log backup 
managed by a DBMS, not 
based on SAP NetWeaver Ap- Backup of software, configu- 
plication Server ration and log files 
VIII Original application data, Data Standalone SAP 
tandal tem, based 
al aes 2 Database and log backup, SAP ERP 
SAP NetWeaver Application ue 
application log backup (such . 
Server j Mss none available 
as job logs in file system) 
Backup of software, configu- 
ration and log files 
IX Original application data, Data none available 
dat h ith oth 
Md ds dial Application specific file sys- 
systems, data not managed : 
tem backup, data consis- 
by a DBMS i 
tency with other systems 
must be considered 
Backup of software, configu- 
ration, log files 
X Original application data, Data SAP Live Cache 
dat h ith oth 
odia Database and log backup, SAP Mobile 
systems, data managed by a . ] 
data consistency with other 
DBMS, not based on SAP . Workbench 
Systems must be considered 
NetWeaver Application 
Server Backup of software, configu- 
ration, log files 
XI Original application data, Data SAP ERP 
dat h ith oth 
AE A MAR Database and log backup, SAP CRM 
SMe eee on SAP Net: application log backup (such 
Weaver Application Server pP E p SAP APO 
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as job logs in the system), 
data consistency with other 
systems must be considered 


Backup of software, configu- 
ration, log files 


SAP NetWeaver Business 
Warehouse 
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Important Disclaimers and Legal Information 


Hyperlinks 


Some links are classified by an icon and/or a mouseover text. These links provide additional information. 
About the icons: 


e Links with the icon P : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your 
agreements with SAP) to this: 


e The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information. 


e SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any 
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct. 


e Links with the icon fir : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such 
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this 
information. 


Beta and Other Experimental Features 


Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by 
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use 
the experimental features in a live operating environment or with data that has not been sufficiently backed up. 

The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your 
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP. 


Example Code 


Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax 
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of 
example code unless damages have been caused by SAP's gross negligence or willful misconduct. 


Gender-Related Language 


We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders. 
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www.sap.com/contactsap 


© 2018 SAP SE or an SAP affiliate company. All rights reserved. 


No part of this publication may be reproduced or transmitted in any form 
or for any purpose without the express permission of SAP SE or an SAP 
affiliate company. The information contained herein may be changed 
without prior notice. 


Some software products marketed by SAP SE and its distributors 
contain proprietary software components of other software vendors. 
National product specifications may vary. 


These materials are provided by SAP SE or an SAP affiliate company for 
informational purposes only, without representation or warranty of any 
kind, and SAP or its affiliated companies shall not be liable for errors or 
omissions with respect to the materials. The only warranties for SAP or 
SAP affiliate company products and services are those that are set forth 
in the express warranty statements accompanying such products and 
services, if any. Nothing herein should be construed as constituting an 
additional warranty. 


SAP and other SAP products and services mentioned herein as well as 
their respective logos are trademarks or registered trademarks of SAP 
SE (or an SAP affiliate company) in Germany and other countries. All 
other product and service names mentioned are the trademarks of their 
respective companies. 


Please see https://www.sap.com/about/legal/trademark.html for 
additional trademark information and notices. 
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